nist-privacy-1.0.yaml

urn: urn:intuitem:risk:library:nist-privacy-1.0
locale: en
ref_id: NIST-PRIVACY-1.0
name: NIST PRIVACY FRAMEWORK 1.0
description: 'NIST Privacy Framework: A Tool for Improving Privacy through Enterprise
  Risk Management. Details and credits on https://www.nist.gov/privacy-framework'
copyright: With the exception of material marked as copyrighted, information presented
  on NIST sites are considered public information and may be distributed or copied.
version: 1
provider: NIST
packager: intuitem
objects:
  framework:
    urn: urn:intuitem:risk:framework:nist-privacy-1.0
    ref_id: NIST-PRIVACY-1.0
    name: NIST PRIVACY FRAMEWORK 1.0
    description: NIST Privacy Framework
    requirement_nodes:
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
      assessable: false
      depth: 1
      ref_id: ID-P
      name: IDENTIFY-P
      description: Develop the organizational understanding to manage privacy risk
        for individuals arising from data processing.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
      ref_id: ID.IM-P
      name: Inventory and Mapping
      description: Data processing by systems, products, or services is understood
        and informs the management of privacy risk.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P1
      description: Systems/products/services that process data are inventoried.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P2
      description: Owners or operators (e.g., the organization or third parties such
        as service providers, partners, customers, and developers) and their roles
        with respect to the systems/products/services and components (e.g., internal
        or external) that process data are inventoried.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P3
      description: Categories of individuals (e.g., customers, employees or prospective
        employees, consumers) whose data are being processed are inventoried.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P4
      description: Data actions of the systems/products/services are inventoried.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P5
      description: The purposes for the data actions are inventoried.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P6
      description: Data elements within the data actions are inventoried.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P7
      description: The data processing environment is identified (e.g., geographic
        location, internal, cloud, third parties).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.im-p
      ref_id: ID.IM-P8
      description: Data processing is mapped, illustrating the data actions and associated
        data elements for systems/products/services, including components; roles of
        the component owners/operators; and interactions of individuals or third parties
        with the systems/products/services.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
      ref_id: ID.BE-P
      name: Business Environment
      description: "The organization\u2019s mission, objectives, stakeholders, and\
        \ activities are understood and prioritized; this information is used to inform\
        \ privacy roles, responsibilities, and risk management decisions."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
      ref_id: ID.BE-P1
      description: "The organization\u2019s role(s) in the data processing ecosystem\
        \ are identified and communicated."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
      ref_id: ID.BE-P2
      description: Priorities for organizational mission, objectives, and activities
        are established and communicated.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.be-p
      ref_id: ID.BE-P3
      description: Systems/products/services that support organizational priorities
        are identified and key requirements communicated.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
      ref_id: ID.RA-P
      name: Risk Assessment
      description: The organization understands the privacy risks to individuals and
        how such privacy risks may create follow-on impacts on organizational operations,
        including mission, functions, other risk management priorities (e.g., compliance,
        financial), reputation, workforce, and culture.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
      ref_id: ID.RA-P1
      description: "Contextual factors related to the systems/products/services and\
        \ the data actions are identified (e.g., individuals\u2019 demographics and\
        \ privacy interests or perceptions, data sensitivity and/or types, visibility\
        \ of data processing to individuals and third parties). "
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
      ref_id: ID.RA-P2
      description: Data analytic inputs and outputs are identified and evaluated for
        bias.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
      ref_id: ID.RA-P3
      description: 'Potential problematic data actions and associated problems are
        identified. '
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
      ref_id: ID.RA-P4
      description: Problematic data actions, likelihoods, and impacts are used to
        determine and prioritize risk.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.ra-p
      ref_id: ID.RA-P5
      description: Risk responses are identified, prioritized, and implemented.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id-p
      ref_id: ID.DE-P
      name: Data Processing Ecosystem Risk Management
      description: "The organization\u2019s priorities, constraints, risk tolerance,\
        \ and assumptions are established and used to support risk decisions associated\
        \ with managing privacy risk and third parties within the data processing\
        \ ecosystem. The organization has established and implemented the processes\
        \ to identify, assess, and manage privacy risks within the data processing\
        \ ecosystem."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
      ref_id: ID.DE-P1
      description: Data processing ecosystem risk management policies, processes,
        and procedures are identified, established, assessed, managed, and agreed
        to by organizational stakeholders.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
      ref_id: ID.DE-P2
      description: Data processing ecosystem parties (e.g., service providers, customers,
        partners, product manufacturers, application developers) are identified, prioritized,
        and assessed using a privacy risk assessment process.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
      ref_id: ID.DE-P3
      description: "Contracts with data processing ecosystem parties are used to implement\
        \ appropriate measures designed to meet the objectives of an organization\u2019\
        s privacy program. "
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
      ref_id: ID.DE-P4
      description: 'Interoperability frameworks or similar multi-party approaches
        are used to manage data processing ecosystem privacy risks. '
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:id.de-p
      ref_id: ID.DE-P5
      description: Data processing ecosystem parties are routinely assessed using
        audits, test results, or other forms of evaluations to confirm they are meeting
        their contractual, interoperability framework, or other obligations.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
      assessable: false
      depth: 1
      ref_id: GV-P
      name: GOVERN-P
      description: "Develop\_and implement\_the organizational governance structure\
        \ to enable an ongoing understanding of the organization\u2019s risk management\
        \ priorities\_that are\_informed by privacy risk."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
      ref_id: GV.PO-P
      name: Governance Policies, Processes, and Procedures
      description: "The policies, processes, and procedures to manage and monitor\
        \ the organization\u2019s regulatory, legal, risk, environmental, and operational\
        \ requirements are understood and inform the management of privacy risk."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      ref_id: GV.PO-P1
      description: "Organizational privacy values and policies (e.g., conditions on\
        \ data processing such as data uses or retention periods, individuals\u2019\
        \ prerogatives with respect to data processing) are established and communicated."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      ref_id: GV.PO-P2
      description: Processes to instill organizational privacy values within system/product/service
        development and operations are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      ref_id: GV.PO-P3
      description: 'Roles and responsibilities for the workforce are established with
        respect to privacy. '
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      ref_id: GV.PO-P4
      description: Privacy roles and responsibilities are coordinated and aligned
        with third-party stakeholders (e.g., service providers, customers, partners).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      ref_id: GV.PO-P5
      description: Legal, regulatory, and contractual requirements regarding privacy
        are understood and managed.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.po-p
      ref_id: GV.PO-P6
      description: Governance and risk management policies, processes, and procedures
        address privacy risks.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
      ref_id: GV.RM-P
      name: Risk Management Strategy
      description: "The organization\u2019s priorities, constraints, risk tolerances,\
        \ and assumptions are established and used to support operational risk decisions."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
      ref_id: GV.RM-P1
      description: Risk management processes are established, managed, and agreed
        to by organizational stakeholders.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
      ref_id: GV.RM-P2
      description: Organizational risk tolerance is determined and clearly expressed.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.rm-p
      ref_id: GV.RM-P3
      description: "The organization\u2019s determination of risk tolerance is informed\
        \ by its role(s) in the data processing ecosystem."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
      ref_id: GV.AT-P
      name: Awareness and Training
      description: "The organization\u2019s workforce and third parties engaged in\
        \ data processing are provided privacy awareness education and are trained\
        \ to perform their privacy-related duties and responsibilities consistent\
        \ with related policies, processes, procedures, and agreements and organizational\
        \ privacy values."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
      ref_id: GV.AT-P1
      description: 'The workforce is informed and trained on its roles and responsibilities. '
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
      ref_id: GV.AT-P2
      description: Senior executives understand their roles and responsibilities.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
      ref_id: GV.AT-P3
      description: Privacy personnel understand their roles and responsibilities.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.at-p
      ref_id: GV.AT-P4
      description: Third parties (e.g., service providers, customers, partners) understand
        their roles and responsibilities.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv-p
      ref_id: GV.MT-P
      name: Monitoring and Review
      description: "The policies, processes, and procedures for ongoing review of\
        \ the organization\u2019s privacy posture are understood and inform the management\
        \ of privacy risk."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P1
      description: "Privacy risk is re-evaluated on an ongoing basis and as key factors,\
        \ including the organization\u2019s business environment (e.g., introduction\
        \ of new technologies), governance (e.g., legal obligations, risk tolerance),\
        \ data processing, and systems/products/services change."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P2
      description: 'Privacy values, policies, and training are reviewed and any updates
        are communicated. '
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P3
      description: Policies, processes, and procedures for assessing compliance with
        legal requirements and privacy policies are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P4
      description: Policies, processes, and procedures for communicating progress
        on managing privacy risks are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P5
      description: Policies, processes, and procedures are established and in place
        to receive, analyze, and respond to problematic data actions disclosed to
        the organization from internal and external sources (e.g., internal discovery,
        privacy researchers, professional events).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P6
      description: Policies, processes, and procedures incorporate lessons learned
        from problematic data actions.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:gv.mt-p
      ref_id: GV.MT-P7
      description: Policies, processes, and procedures for receiving, tracking, and
        responding to complaints, concerns, and questions from individuals about organizational
        privacy practices are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
      assessable: false
      depth: 1
      ref_id: CT-P
      name: CONTROL-P
      description: Develop and implement appropriate activities to enable organizations
        or individuals to manage data with sufficient granularity to manage privacy
        risks.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
      ref_id: CT.PO-P
      name: Data Processing Policies, Processes, and Procedures
      description: "Policies, processes, and procedures are maintained and used to\
        \ manage data processing (e.g., purpose, scope, roles and responsibilities\
        \ in the data processing ecosystem, and management commitment) consistent\
        \ with the organization\u2019s risk strategy to protect individuals\u2019\
        \ privacy."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
      ref_id: CT.PO-P1
      description: Policies, processes, and procedures for authorizing data processing
        (e.g., organizational decisions, individual consent), revoking authorizations,
        and maintaining authorizations are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
      ref_id: CT.PO-P2
      description: Policies, processes, and procedures for enabling data review, transfer,
        sharing or disclosure, alteration, and deletion are established and in place
        (e.g., to maintain data quality, manage data retention).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
      ref_id: CT.PO-P3
      description: "Policies, processes, and procedures for enabling individuals\u2019\
        \ data processing preferences and requests are established and in place."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.po-p
      ref_id: CT.PO-P4
      description: A data life cycle to manage data is aligned and implemented with
        the system development life cycle to manage systems.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
      ref_id: CT.DM-P
      name: Data Processing Management
      description: "Data are managed consistent with the organization\u2019s risk\
        \ strategy to protect individuals\u2019 privacy, increase manageability, and\
        \ enable the implementation of privacy principles (e.g., individual participation,\
        \ data quality, data minimization). "
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P1
      description: Data elements can be accessed for review.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P2
      description: Data elements can be accessed for transmission or disclosure.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P3
      description: Data elements can be accessed for alteration.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P4
      description: Data elements can be accessed for deletion.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P5
      description: Data are destroyed according to policy.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P6
      description: Data are transmitted using standardized formats.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P7
      description: Mechanisms for transmitting processing permissions and related
        data values with data elements are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P8
      description: Audit/log records are determined, documented, implemented, and
        reviewed in accordance with policy and incorporating the principle of data
        minimization.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P9
      description: Technical measures implemented to manage data processing are tested
        and assessed.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dm-p
      ref_id: CT.DM-P10
      description: Stakeholder privacy preferences are included in algorithmic design
        objectives and outputs are evaluated against these preferences.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct-p
      ref_id: CT.DP-P
      name: Disassociated Processing
      description: "Data processing solutions increase disassociability consistent\
        \ with the organization\u2019s risk strategy to protect individuals\u2019\
        \ privacy and enable implementation of privacy principles (e.g., data minimization)."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
      ref_id: CT.DP-P1
      description: Data are processed to limit observability and linkability (e.g.,
        data actions take place on local devices, privacy-preserving cryptography).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
      ref_id: CT.DP-P2
      description: Data are processed to limit the identification of individuals (e.g.,
        de-identification privacy techniques, tokenization).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
      ref_id: CT.DP-P3
      description: "Data are processed to limit the formulation of inferences about\
        \ individuals\u2019 behavior or activities (e.g., data processing is decentralized,\
        \ distributed architectures)."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
      ref_id: CT.DP-P4
      description: 'System or device configurations permit selective collection or
        disclosure of data elements. '
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:ct.dp-p
      ref_id: CT.DP-P5
      description: Attribute references are substituted for attribute values.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
      assessable: false
      depth: 1
      ref_id: CM-P
      name: COMMUNICATE-P
      description: Develop and implement appropriate activities to enable organizations
        and individuals to have a reliable understanding and engage in a dialogue
        about how data are processed and associated privacy risks.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
      ref_id: CM.PO-P
      name: Communication Policies, Processes, and Procedures
      description: "Policies, processes, and procedures are maintained and used to\
        \ increase transparency of the organization\u2019s data processing practices\
        \ (e.g., purpose, scope, roles and responsibilities in the data processing\
        \ ecosystem, and management commitment) and associated privacy risks."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
      ref_id: CM.PO-P1
      description: Transparency policies, processes, and procedures for communicating
        data processing purposes, practices, and associated privacy risks are established
        and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.po-p
      ref_id: CM.PO-P2
      description: Roles and responsibilities (e.g., public relations) for communicating
        data processing purposes, practices, and associated privacy risks are established.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm-p
      ref_id: CM.AW-P
      name: Data Processing Awareness
      description: "Individuals and organizations have reliable knowledge about data\
        \ processing practices and associated privacy risks, and effective mechanisms\
        \ are used and maintained to increase predictability consistent with the organization\u2019\
        s risk strategy to protect individuals\u2019 privacy. "
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P1
      description: "Mechanisms (e.g., notices, internal or public reports) for communicating\
        \ data processing purposes, practices, associated privacy risks, and options\
        \ for enabling individuals\u2019 data processing preferences and requests\
        \ are established and in place."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P2
      description: Mechanisms for obtaining feedback from individuals (e.g., surveys
        or focus groups) about data processing and associated privacy risks are established
        and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P3
      description: System/product/service design enables data processing visibility.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P4
      description: Records of data disclosures and sharing are maintained and can
        be accessed for review or transmission/disclosure.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P5
      description: Data corrections or deletions can be communicated to individuals
        or organizations (e.g., data sources) in the data processing ecosystem.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P6
      description: Data provenance and lineage are maintained and can be accessed
        for review or transmission/disclosure.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P7
      description: Impacted individuals and organizations are notified about a privacy
        breach or event.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:cm.aw-p
      ref_id: CM.AW-P8
      description: Individuals are provided with mitigation mechanisms (e.g., credit
        monitoring, consent withdrawal, data alteration or deletion) to address impacts
        of problematic data actions.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
      assessable: false
      depth: 1
      ref_id: PR-P
      name: PROTECT-P
      description: Develop and implement appropriate data processing safeguards.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
      ref_id: PR.PO-P
      name: Data Protection Policies, Processes, and Procedures
      description: Security and privacy policies (e.g., purpose, scope, roles and
        responsibilities in the data processing ecosystem, and management commitment),
        processes, and procedures are maintained and used to manage the protection
        of data.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P1
      description: A baseline configuration of information technology is created and
        maintained incorporating security principles (e.g., concept of least functionality).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P2
      description: Configuration change control processes are established and in place.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P3
      description: Backups of information are conducted, maintained, and tested.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P4
      description: Policy and regulations regarding the physical operating environment
        for organizational assets are met.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P5
      description: Protection processes are improved.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P6
      description: Effectiveness of protection technologies is shared.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P7
      description: Response plans (Incident Response and Business Continuity) and
        recovery plans (Incident Recovery and Disaster Recovery) are established,
        in place, and managed.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P8
      description: Response and recovery plans are tested.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p9
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P9
      description: Privacy procedures are included in human resources practices (e.g.,
        deprovisioning, personnel screening).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p10
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.po-p
      ref_id: PR.PO-P10
      description: A vulnerability management plan is developed and implemented.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
      ref_id: PR.AC-P
      name: Identity Management, Authentication, and Access Control
      description: Access to data and devices is limited to authorized individuals,
        processes, and devices, and is managed consistent with the assessed risk of
        unauthorized access.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      ref_id: PR.AC-P1
      description: Identities and credentials are issued, managed, verified, revoked,
        and audited for authorized individuals, processes, and devices.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      ref_id: PR.AC-P2
      description: Physical access to data and devices is managed.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      ref_id: PR.AC-P3
      description: Remote access is managed.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      ref_id: PR.AC-P4
      description: Access permissions and authorizations are managed, incorporating
        the principles of least privilege and separation of duties.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      ref_id: PR.AC-P5
      description: Network integrity is protected (e.g., network segregation, network
        segmentation).
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ac-p
      ref_id: PR.AC-P6
      description: "Individuals and devices are proofed and bound to credentials,\
        \ and authenticated commensurate with the risk of the transaction (e.g., individuals\u2019\
        \ security and privacy risks and other organizational risks)."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
      ref_id: PR.DS-P
      name: Data Security
      description: "Data are managed consistent with the organization\u2019s risk\
        \ strategy to protect individuals\u2019 privacy and maintain data confidentiality,\
        \ integrity, and availability."
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P1
      description: Data-at-rest are protected.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P2
      description: Data-in-transit are protected.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P3
      description: Systems/products/services and associated data are formally managed
        throughout removal, transfers, and disposition.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P4
      description: Adequate capacity to ensure availability is maintained.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p5
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P5
      description: Protections against data leaks are implemented.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p6
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P6
      description: Integrity checking mechanisms are used to verify software, firmware,
        and information integrity.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p7
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P7
      description: The development and testing environment(s) are separate from the
        production environment.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p8
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ds-p
      ref_id: PR.DS-P8
      description: Integrity checking mechanisms are used to verify hardware integrity.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
      ref_id: PR.MA-P
      name: Maintenance
      description: System maintenance and repairs are performed consistent with policies,
        processes, and procedures.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
      ref_id: PR.MA-P1
      description: Maintenance and repair of organizational assets are performed and
        logged, with approved and controlled tools.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.ma-p
      ref_id: PR.MA-P2
      description: Remote maintenance of organizational assets is approved, logged,
        and performed in a manner that prevents unauthorized access.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
      assessable: false
      depth: 2
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr-p
      ref_id: PR.PT-P
      name: Protective Technology
      description: Technical security solutions are managed to ensure the security
        and resilience of systems/products/services and associated data, consistent
        with related policies, processes, procedures, and agreements.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p1
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
      ref_id: PR.PT-P1
      description: Removable media is protected and its use restricted according to
        policy.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p2
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
      ref_id: PR.PT-P2
      description: The principle of least functionality is incorporated by configuring
        systems to provide only essential capabilities.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p3
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
      ref_id: PR.PT-P3
      description: Communications and control networks are protected.
    - urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p4
      assessable: true
      depth: 3
      parent_urn: urn:intuitem:risk:req_node:nist-privacy-1.0:pr.pt-p
      ref_id: PR.PT-P4
      description: Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented
        to achieve resilience requirements in normal and adverse situations.